Protecting Privacy During an Infectious Disease Panic

Reprinted with permission from the December 9 issue of Corporate Counsel. (c) 2014 ALM Media Properties, LLC. Further duplication without permission is prohibited.All rights reserved.

In September and October, cable news outlets chased ratings with disproportionate and inflammatory coverage that screamed “All Ebola, All the Time,” raising the question of how the media was obtaining detailed information about individual patients. Now that the headlines have moved on to other crises, we have the opportunity to consider lessons learned from the response to the Ebola outbreak. And with good reason, since these lessons may apply to any similar scenario, be it SARS, MERS, H1N1 or a new epidemic we have yet to see. Another real or perceived “urgent” situation could arise at any time without warning, and implementing a clear-minded, rational privacy protocol before the next crisis occurs is sound and smart strategy.

Imagine the following scenario greeting you one morning: It isn’t stressful enough that you have just learned that a patient is being evaluated for a suspected case of a dreaded infectious disease in your hospital—now the patient’s name and photo are appearing all over the national news. A reporter is on the phone asking for comment from anyone whom he or she can get to talk, camera crews are filling your parking lot, and your chief privacy and security officers are on hold on two separate lines. In these situations, health privacy considerations and public/media demands are bound to collide.

Twentieth-century notions of health information privacy, as embodied in 1996’s Health Insurance Portability and Accountability Act (HIPAA), are struggling to keep up with the realities of today’s increasingly alarmist 24-hour cable news cycle. Add to that blogs and other frequently anonymous and unmoderated online news sources, plus pressure from a panicked public and besieged regulators, and, well, you get the drift.

The faces and names of the handful of people who have been exposed to Ebola in the U.S. to date suddenly became as familiar as those of tabloid celebrities, but it is not always clear how they were identified by the media. In some instances, such as the case of Thomas Eric Duncan, the first patient to die of the disease in the U.S., it appears that his family members disclosed his name and details of his care to news outlets. Other affected individuals, including Dr. Kent Brantly and Dallas nurse Nina Pham, have made statements or written first-person accounts for publication describing their experiences. In other circumstances, news outlets have boasted that their detective work led them to the patients’ identities. In this charged environment, it is critical for health-care providers to ensure that their own staff and contractors know what they can and cannot disclose, and to whom.

First, a little background. HIPAA protects the privacy and security of individually identifiable health information (referred to in the law as protected health information, or PHI). HIPAA doesn’t apply to everyone. The law’s privacy rule restricts the access to, and release of, PHI by “covered entities” and their business associates. Covered entities are generally health plans, health-care clearinghouses and health-care providers that conduct certain financial and administrative transactions electronically. The law also applies to “business associates,” which are persons or entities that perform certain functions that involve the use or disclosure of PHI on behalf of, or provide services to, a covered entity. Business associates commonly include consulting firms, accounting firms, law firms, IT vendors, physical and digital storage providers, and billing services.

An employer also may be a HIPAA “covered entity” if it operates a self-insured health plan or health reimbursement plan, a wellness program, an employee assistance program or an on-site clinic for its employees; if it is the business associate of a covered entity; or if it acts as the intermediary between its employees and health-care providers. Before accessing or disclosing any employee PHI, the first step is to determine whether you are a covered entity. Don’t overlook your state’s laws—if they are more stringent, they will supersede HIPAA.

HIPAA does not restrict what information patients, or their family members, clergy, friends or neighbors, may legally disclose. (However, state privacy or defamation statutes and case law may limit what family members, clergy, friends or neighbors may legally disclose.)

The general rule for covered entities and business associates is that PHI only may be disclosed with the individual’s consent unless an exception applies. Ebola is a devastating communicable disease about which the general public needs timely education and guidance, but HIPAA does not provide exceptions for newsworthy or unusually terrifying medical conditions. There are exceptions relating to public health and safety, but they generally do not permit covered entities or their business associates to release PHI to the media or general public.

The HIPAA exception for uses and disclosures for public health activities allows a covered entity to use or disclose PHI to a public health authority, such as the Centers for Disease Control and Prevention (CDC) of the U.S. Department of Health and Human Services. The CDC is authorized by law to collect or receive such PHI for the purpose of preventing or controlling disease, injury or disability, including, but not limited to, the reporting of disease and injury, and the conduct of public health surveillance, public health investigations and public health interventions.

Public health authorities do not have the unlimited ability to publicly disclose PHI either. Although HIPAA does not directly regulate those authorities, except where they are direct health-care providers, they must maintain, use and disclose the data consistent with the laws, regulations and policies applicable to the public health authority. This may include reaching out to individuals who may have come into contact with an infected individual.

What information can a health-care provider legally release to the news media or other outsiders without appropriate patient or family consent? Facilities may disclose very limited “directory” information to persons who ask for the individual by name only if the individual has had an opportunity to object and did not do so. That information may only include the individual's name, location in the covered health-care provider's facility and the individual's condition described in general terms that does not communicate specific medical information about the individual. These are typically one-word conditional terms defined by the AMA as “undetermined,” “good,” “fair,” “serious” or “critical.” HIPAA also allows disclosures to clergy in some circumstances if the patient did not object when asked.

In “emergency circumstances” for which the opportunity to object is not practical, a health-care provider may disclose directory information if such disclosure is consistent with a known prior expressed preference of the individual, and the disclosure is in the individual's best interest as determined by the covered health-care provider.

Family members do not necessarily stand in the shoes of the patient. A patient may expressly authorize disclosures to a “personal representative,” for instance, under a health-care power of attorney. HIPAA permits covered entities and business associates to make disclosures to a family member, other relative, a close personal friend of the individual or any other person identified by the individual, if the PHI is directly relevant to such person's involvement with the individual's health care or payment for that care. In addition, for deceased patients PHI may be disclosed to coroners and medical examiners, funeral directors, organ procurement organizations and the individual’s executor, administrator or other person who has authority to act on behalf of the individual’s estate. Not all relatives can compel the release of a decedent’s medical records, but anyone who obtains such records is not prohibited by HIPAA from sharing them with the media—which may explain some of the recent Ebola disclosures.

HIPAA also requires that disclosures be limited to the minimum information reasonably necessary to accomplish the intended purpose. This “minimum necessary” standard means that those who are not involved in a patient’s care should not “snoop” through the patient’s records out of curiosity. In fact, one such case of electronically peeking at celebrity and coworker records by an employee of the UCLA Medical Center resulted in a prison term, even when no information was publicly released or sold. Details about Ebola cases may be irresistible to curious staffers, as in the instance of two Nebraska Medical Center employees who were fired for improperly accessing records of a patient being treated for Ebola in September.

Before any nightmare scenario begins to unfold, all covered entities and business associates should reinforce their existing privacy and security internal policies and remind all staff that violations will result in swift and serious sanctions. You should review your media response plan and ensure that it instructs all personnel to direct inquiries to a single, accountable source, or develop such a plan if you don’t have one. Plan ahead and don’t wait until CNN is on the phone, Fox News is at your door and a task force from the CDC is winging its way to your facility.

Reprinted with permission from the December 9 issue of Corporate Counsel. (c) 2014 ALM Media Properties, LLC. Further duplication without permission is prohibited.All rights reserved.